US10924492B2 - Information leakage prevention system and method - Google Patents

Information leakage prevention system and method Download PDF

Info

Publication number
US10924492B2
US10924492B2 US15/753,249 US201615753249A US10924492B2 US 10924492 B2 US10924492 B2 US 10924492B2 US 201615753249 A US201615753249 A US 201615753249A US 10924492 B2 US10924492 B2 US 10924492B2
Authority
US
United States
Prior art keywords
information
security policy
user
server
client terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/753,249
Other languages
English (en)
Other versions
US20180241758A1 (en
Inventor
Atsuo Inoue
Yuzo Oshida
Tateki Harada
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Solutions Ltd
Original Assignee
Hitachi Solutions Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Solutions Ltd filed Critical Hitachi Solutions Ltd
Assigned to HITACHI SOLUTIONS, LTD. reassignment HITACHI SOLUTIONS, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HARADA, TATEKI, INOUE, ATSUO, OSHIDA, YUZO
Publication of US20180241758A1 publication Critical patent/US20180241758A1/en
Application granted granted Critical
Publication of US10924492B2 publication Critical patent/US10924492B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present disclosure relates to an information leakage prevention technique for preventing information leakage due to malware, for example.
  • Patent Literature 1 discloses a technique for preventing damage by blocking connection from a client machine infected with malware to a C&C server, or for isolating the infected client machine from a network. According to the technique disclosed in Patent Literature 1, upon detection of traffic anomaly, packets directed to a specific address are blocked using a firewall device and a relay device.
  • Patent Literature 1 JP 2012-015684 A
  • Patent Literature 1 presupposes the presence of a firewall device and a relay device between an external network and a client machine, where the client machine needs to be installed in a specific internal network in which the firewall device and the relay device are present. Accordingly, the technique is unable to prevent information leakage from a client machine positioned outside the internal network.
  • the present description includes a plurality of means for solving the problem, of which one is an information leakage prevention system including: a client terminal with a client processing unit which performs network control in accordance with an acquired security policy; and a management server including a user database in which information concerning a user of the client terminal is stored, a security policy database in which a security policy defining a network control content for each attribute of the user is stored, and a server processing unit which, on the basis of the attribute of the user and a time of delivery of the security policy, selects the security policy and transmits the selected security policy to the corresponding client terminal.
  • an information leakage prevention system including: a client terminal with a client processing unit which performs network control in accordance with an acquired security policy; and a management server including a user database in which information concerning a user of the client terminal is stored, a security policy database in which a security policy defining a network control content for each attribute of the user is stored, and a server processing unit which, on the basis of the attribute of the user and a
  • FIG. 1 is a diagram illustrating an overall configuration of a system according to the first embodiment.
  • FIG. 2 is a diagram for describing the structure of data stored in a user database (the first embodiment).
  • FIG. 3 is a diagram for describing the structure of data stored in a security policy database (the first embodiment).
  • FIG. 4 is a flowchart for describing a processing procedure upon startup of a client machine (the first embodiment).
  • FIG. 5 is a flowchart for describing a processing procedure for a management server upon startup of a client machine (the first embodiment).
  • FIG. 6 is a flowchart for describing a processing procedure for a client machine during malware infection (the first embodiment).
  • FIG. 7 is a flowchart for describing a processing procedure for a management server during malware infection (the first embodiment).
  • FIG. 8 is a diagram illustrating an overall configuration of a system according to the second embodiment.
  • FIG. 9 is a diagram for describing the structure of data stored in a user database (the second embodiment).
  • FIG. 10 is a diagram for describing the structure of data stored in a security policy database (the second embodiment).
  • FIG. 11 is a flowchart for describing a processing procedure for a client machine during malware infection (the second embodiment).
  • FIG. 12 is a flowchart for describing a processing procedure for a management server during malware infection (the second embodiment).
  • FIG. 13 is a diagram illustrating an overall configuration of a system according to the third embodiment.
  • FIG. 14 is a diagram for describing the structure of data stored in a user database (the third embodiment).
  • FIG. 15 is a diagram for describing the structure of data stored in a security policy database (the third embodiment).
  • FIG. 16 is a flowchart for describing a processing procedure for a client machine during malware infection (the third embodiment).
  • FIG. 17 is a flowchart for describing a processing procedure for a management server during malware infection (the third embodiment).
  • FIG. 1 illustrates the overall configuration of an information leakage prevention system 100 according to the present embodiment.
  • the information leakage prevention system 100 is a system which, based on a cooperation of a client machine and a management server, controls network connection of the client machine or an access thereof to a C&C server to prevent information leakage by malware infection.
  • the information leakage prevention system 100 includes a management server 106 and client machines 103 and 111 .
  • the management server 106 and the client machines 103 and 111 are connected via a network 102 . While in FIG. 1 , only the client machines 103 and 111 are depicted, the number of the client machines may be arbitrarily determined.
  • Each of the client machines 103 and 111 includes a computer as a basic configuration and is constituted by a CPU, a RAM, a ROM, a hard disk device, a network interface, a display device and the like.
  • the client machines 103 and 111 implement anti-malware software 104 and a client processing unit 114 of which the functions are provided through the execution of a program by the CPU.
  • the anti-malware software 104 is a program for detecting malware infection.
  • the client processing unit 114 includes a user information transmission function, a malware detection information transmission function, and a network control function.
  • the user information transmission function is used for transmitting user information.
  • the malware detection information transmission function is used for transmitting malware detection information.
  • the network control function controls connection or disconnection with the network and the like.
  • the management server 106 includes a computer as a basic configuration and is constituted by a CPU, a RAM, a ROM, a hard disk device, a network interface and the like. To the management server 106 , a display device may be connected as needed. In the present embodiment, the management server 106 implements a user database (database) 107 , a security policy database (DB) 109 , and a server processing unit 115 .
  • database database
  • DB security policy database
  • the server processing unit 115 through the execution of a program by the CPU, provides a user information management function, a security policy management function, and a security policy transmission function.
  • the user information management function manages the user database 107 .
  • the security policy management function manages the security policy database 109 .
  • the security policy transmission function is used for transmitting a security policy.
  • data 108 are stored, including the user name (or identifier), affiliation, and position of each user, and the IP address of the client machine. In the present description, these items of information may be collectively referred to as “information concerning a user”.
  • the user name (or identifier), affiliation, and position of each user may be collectively referred to as “user information”.
  • the affiliation, position, and the time of delivery of a policy of each user may be collectively referred to as “attribute”.
  • data 110 describing affiliation, position, the time of delivery of policy, the operation during policy application and the like are stored.
  • the client machines 103 and 111 started up by the user transmit the user information registered in advance (user name, affiliation, and position) and the IP addresses of the client machines (upon startup) to the management server 106 . If any of the registered user name, affiliation, position, or IP address has been modified, the client machines 103 and 111 transmit the user name, affiliation, position, or IP address after modification (after an update) to the management server 106 .
  • the management server 106 upon receiving the information about the user name, affiliation, position, and IP address of each user from the client machines 103 and 111 , stores the information in the user database 107 .
  • the client machine 103 transmits malware detection information output from the anti-malware software 104 to the management server 106 .
  • the malware detection information includes detection date/time and information of the C&C server with which the malware communicates.
  • the management server 106 upon reception of the malware detection information, extracts the C&C server information from the detection information.
  • the management server 106 then identifies the current time for policy delivery, and searches the data 110 stored in the security policy database 109 using the identified current time. In this case, the management server 106 selects a security policy registered with respect to the combination of affiliation and position associated with the current time.
  • the management server 106 also extracts from the data 108 stored in the user database 107 each IP address corresponding to the combination of affiliation and position associated with the current time, and transmits to the IP address the security policy and C&C server information corresponding to each user.
  • the transmission destination is not limited to the client machine 103 infected with malware.
  • both of the client machines 103 and 111 are transmission destinations for the security policy and the C&C server information.
  • the client machines 103 and 111 sever connection with the C&C server 101 or sever connection with the network 102 , in accordance with the content of the security policy received.
  • the client machine 103 severs connection with the network 102
  • the client machine 111 severs connection only with the C&C server 101 (and maintains connection with the network).
  • FIG. 2 illustrates a structure example of the data 108 stored in the user database 107 .
  • the user database 107 includes the data items of each user's user name 201 , affiliation 202 , position 203 , and IP address 204 of the client machine. These items of information are transmitted from the client machines 103 and 111 to the management server 106 upon startup, and stored by the management server 106 in corresponding item positions.
  • the management server 106 If the received user name 201 is already registered in the user database 107 , the management server 106 overwrites the information of the affiliation 202 , position 203 , and IP address 204 linked with the existing user name 201 with the newly received information. If the received user name 201 is not registered in the user database 107 , the management server 106 stores the received user name 201 , affiliation 202 , position 203 , and IP address 204 in a new row. The administrator of the management server 106 may delete an unwanted row from the user database 107 .
  • FIG. 3 illustrates a structure example of the data 110 stored in the security policy database 109 .
  • the security policy database 109 includes the data items of affiliation 301 , position 302 , time 303 of policy delivery, and operation 304 during policy application.
  • the management server 106 upon reception of the malware detection information from any of the client machines 103 and 111 , searches the security policy database 109 using the current time for policy delivery, and selects a security policy (operation 304 during policy application) to be applied to a user (identified by each combination of the affiliation 301 and the position 302 ) included in the time 303 including the current time.
  • the management server 106 assumes that the operation 304 during policy application is “prohibit network connection”, and delivers the policy to all of the client machines being managed.
  • the “prohibit network connection” is the strictest operation.
  • the administrator of the management server 106 may set the operation 304 during policy application for each combination of the affiliation 301 , position 302 and time 303 , and may also modify or delete the data after the setting.
  • FIG. 4 illustrates a processing procedure performed in the client machines 103 and 111 upon startup of the client machines.
  • the client processing unit 114 logs onto the operation system (OS) (step 402 ).
  • the client processing unit 114 acquires its own IP address (step 403 ).
  • the client processing unit 114 transmits the IP address acquired in step 403 and the user information of the user registered in advance (user name, affiliation, and position information) to the management server 106 (step 404 ).
  • FIG. 5 illustrates a processing procedure performed by the client machines management server 106 upon startup.
  • the server processing unit 115 of the management server 106 receives IP address and user information from the client machines 103 and 111 (step 501 ).
  • the user information is the user information transmitted in step 404 .
  • the server processing unit 115 determines whether the user name included in the received user information is registered in the user database 107 (step 502 ). If the user name is registered in the user database 107 , the server processing unit 115 overwrites and updates the information of the affiliation 202 , position 203 , and IP address 204 associated with the user name with the content of the received user information (step 503 ). If the user name is not registered in the user database 107 , the server processing unit 115 newly registers the content of the received user information in the user database 107 (step 504 ).
  • FIG. 6 illustrates a processing procedure performed by the client machine 103 infected with malware.
  • Malware infection is detected by the anti-malware software 104 running in the client machine 103 .
  • the anti-malware software 104 Upon detection of malware infection, the anti-malware software 104 outputs malware detection information (step 601 ). Then, the client processing unit 114 of the client machine 103 transmits the malware detection information to the management server 106 (step 602 ).
  • the client processing unit 114 receives from the management server 106 a security policy and C&C server information (step 603 ). In this case, the client processing unit 114 determines whether the operation during policy application included in the received security policy is “prohibit network connection” or “prohibit C&C server connection” (step 604 ). If the operation during policy application is “prohibit network connection”, the client processing unit 114 severs connection with the network 102 , and isolates itself from the network (step 605 ). On the other hand, if the operation during policy application is “prohibit C&C server connection”, the client processing unit 114 prohibits connection only with respect to the address of the C&C server 101 included in the received C&C server information (step 606 ). In the client machine 111 that is not infected with malware, the operation subsequent to step 603 is performed.
  • FIG. 7 illustrates a processing procedure performed by the management server 106 notified of malware infection.
  • the server processing unit 115 receives the malware detection information from the client machine 103 (step 701 ).
  • the malware detection information is the malware detection information transmitted in step 602 .
  • the server processing unit 115 searches the policy database 109 on the basis of the current time for policy delivery, and selects, for each combination of affiliation and position that has the time 303 including the current time, a security policy for delivery (operation 304 during policy application) (step 702 ), where a plurality of combinations may be selected.
  • the server processing unit 115 compares the combination of affiliation and position identifying the user for which the security policy has been selected, with the combinations of affiliation and position in the user database 107 , and determines the IP address of the transmission destination of the security policy for delivery to each user (step 703 ). Thereafter, the server processing unit 115 transmits the corresponding security policy and the C&C server information to the determined IP address (step 704 ).
  • the security policy and the C&C server information herein are the security policy and the C&C server information that the client machine received in step 603 .
  • the network 102 constituting the information leakage prevention system 100 of the present embodiment does not include a firewall device or a relay device
  • the information transmission from the client machines 103 and 111 to the C&C server 101 can be blocked, or the client machines 103 and 111 can be isolated from the network 102 .
  • the security policy applied to the client machines 103 and 111 (operation during policy application) can be determined in accordance with the combination of affiliation and position of the user. That is, the strength of the security policy can be changed in accordance with the attributes of the user of the client machines 103 and 111 .
  • FIG. 8 illustrates the overall configuration of an information leakage prevention system 200 according to the present embodiment.
  • portions corresponding to those of FIG. 1 are designated with identical or similar reference signs.
  • the basic configuration of the information leakage prevention system 200 is the same as that of the information leakage prevention system 100 according to the first embodiment.
  • Each of client machines 803 and 811 has a computer as a basic configuration and is constituted by a CPU, a RAM, a ROM, a hard disk device, a network interface and the like.
  • the client machines 803 and 811 implement the anti-malware software 104 and a client processing unit 814 of which the functions are provided through the execution of a program by the CPU.
  • the client machines 803 and 811 of the present embodiment further implement a GPS terminal 805 .
  • the GPS terminal 805 may be provided externally to the client machine 803 .
  • the GPS terminal 805 acquires physical position information (latitude, longitude, and height) of the client machines 803 and 811 .
  • the client processing unit 814 provides a user information transmission function, a position information processing function, a malware detection information transmission function, and a network control function, through the execution of a program by the CPU.
  • the functions are the same as those of the first embodiment with the exception of the position information processing function.
  • the position information processing function in accordance with a request for position information, acquires the current position information from the GPS terminal 805 , and transmits the current position information to the source of the request (management server 806 ). If the client processing unit 814 includes a table for converting the physical position information into managerial position information (such as in office, outside office, with client, or in company housing), the managerial position information may be transmitted as the position information.
  • the table used for the conversion may be registered in the client processing unit 814 in advance, or may be notified from the management server 806 .
  • the management server 806 has a computer as a basic configuration and is constituted by a CPU, a RAM, a ROM, a hard disk device, a network interface and the like. To the management server 106 , a display device may be connected, as needed. In the present embodiment, the management server 806 implements a user database (database) 807 , a security policy database (DB) 809 , and a server processing unit 815 .
  • database database
  • DB security policy database
  • the server processing unit 815 provides a user information management function, a position information management function, a security policy management function, and a security policy transmission function, through the execution of a program by the CPU.
  • the functions are the same as those of the first embodiment with the exception of the position information management function.
  • the position information management function upon reception of malware detection information, requests the current position information from the client machines 803 and 811 .
  • the position information management function upon reception of position information from the client machines 803 and 811 , registers the received position information in the user database 807 .
  • the position information management function when GPS information output from the GPS terminal 805 is received as position information as is, converts the GPS information as the physical position information into managerial position information, and registers the managerial position information in the user database 807 .
  • the position information management function may implement a function for transmitting to the client machines 803 and 811 a table for converting GPS information into managerial position information.
  • the server processing unit 815 of the management server 806 upon reception of malware detection information, extracts C&C server information from the malware detection information.
  • the server processing unit 815 also searches data 810 in the security policy database 809 on the basis of the current time for policy delivery.
  • the management server 806 selects a combination of a security policy candidate and position information that is registered with respect to the combination of affiliation and position associated with the current time.
  • the management server 806 also compares the position information of the selected combination with the received position information, and determines a security policy corresponding to the combination including the matching position information as the security policy to be applied to the relevant user.
  • the management server 806 also extracts from the user database 807 the IP address corresponding to the affiliation and position of the determined combination, and transmits to the IP address the security policy and C&C server information corresponding to each user.
  • FIG. 9 illustrates a structure example of data 808 stored in the user database 807 .
  • the user database 807 includes the data items of each user's user name 901 , affiliation 902 , position 903 , IP address 904 of the client machine, and position information 905 .
  • Information other than the position information 905 is transmitted from the client machines 803 and 811 to the management server 806 upon startup, and stored by the management server 806 in the user database 807 .
  • the management server 806 If the received user name 901 is already registered in the user database 807 , the management server 806 overwrites the information of affiliation 902 , position 903 , and IP address 904 linked with the existing user name 901 with the newly received information. If the received user name 901 is not registered in the user database 807 , the management server 806 stores the received user name 901 , affiliation 902 , position 903 , and IP address 904 in a new row.
  • the management server 806 upon reception of the position information 905 from the client machines 803 and 811 , searches the user database 807 using the IP address 904 of the source of transmission of the position information 905 , and stores the received position information 905 in a row corresponding to the IP address 904 .
  • the position information 905 managerial position information is recorded.
  • the client machines 803 and 811 upon startup and upon IP address modification, transmits the user information to the management server 806 . Accordingly, the IP address 904 of the source of transmission of the position information 905 is stored in the user database 807 without fail. That is, the case in which the IP address 904 of the source of transmission of the position information 905 is not stored in the user database 807 is not contemplated.
  • FIG. 10 illustrates a structure example of the data 810 stored in the security policy database 809 .
  • the security policy database 809 includes the data items of affiliation 1001 , position 1002 , time 1003 , position information 1004 , and operation 1005 during policy application.
  • position information 1004 managerial position information is recorded.
  • the management server 806 upon reception of malware detection information from any of the client machines 803 and 811 , refers to the security policy database 809 and selects, as a candidate, a security policy (operation 1005 during policy application) registered with respect to the combination of the affiliation 1001 and position 1002 of the user including the current time for policy delivery, time of policy delivery 1003 , and position information 1004 . At this point in time, the security policy cannot be determined because refinement using the position information is yet to be performed.
  • the management server 806 assumes that the operation 1005 during policy application is “prohibit network connection”, and delivers the policy to all of the client machines being managed.
  • the administrator of the management server 806 may set the operation 1005 during policy application for each combination of affiliation 1001 , position 1002 , time 1003 , and position information 1004 , and may modify or delete data after the setting.
  • FIG. 11 illustrates a processing procedure performed by the client machine 803 infected with malware. Malware infection is detected by the anti-malware software 104 running in the client machine 803 . Upon detection of malware infection, the anti-malware software 104 outputs malware detection information (step 1101 ). Then, the client processing unit 814 of the client machine 803 transmits the malware detection information to the management server 806 (step 1102 ).
  • the client processing unit 814 receives a position information acquisition request from the management server 806 (step 1103 ).
  • the client processing unit 814 acquires position information from the GPS terminal 805 , and transmits the acquired position information to the management server 806 (step 1104 ).
  • the client processing unit 814 then receives a security policy and C&C server information from the management server 806 (step 1105 ).
  • the client processing unit 814 herein determines whether the operation during policy application included in the received security policy is “prohibit network connection” or “prohibit C&C server connection” (step 1106 ).
  • the client processing unit 814 severs connection with the network 102 and isolates itself from the network (step 1107 ). On the other hand, if the operation during policy application is “prohibit C&C server connection”, the client processing unit 814 prohibits connection only to the address of the C&C server 101 included in the received C&C server information (step 1108 ). In the client machine 811 not infected with malware, the operation subsequent to step 1103 is performed.
  • FIG. 12 illustrates a processing procedure performed by the management server 806 notified of malware infection.
  • the server processing unit 815 receives malware detection information from the client machine 803 (step 1201 ).
  • the malware detection information herein is the malware detection information transmitted in step 1102 .
  • the server processing unit 815 then transmits a position information acquisition request to the client machines 803 and 811 (step 1202 ). That is, the server processing unit 815 transmits the position information acquisition request not only to the client machine 803 that has detected malware infection, but to all of the client machines being managed. Thereafter, the server processing unit 815 receives position information from the client machines 803 and 811 (step 1203 ). The position information is the position information transmitted in the step 1104 . The server processing unit 815 stores the received position information in the user database 807 (step 1204 ).
  • the server processing unit 815 searches the policy database 809 on the basis of the current time for policy delivery, and selects a combination of a security policy (operation 1005 during policy application) registered with respect to the user having the time 1003 including the current time, and the position information 1004 (step 1205 ).
  • the server processing unit 815 compares the position information 1004 of the user corresponding to the security policy selected in step 1205 with the position information 905 registered in the user database 807 , and identifies the attribute and security policy of the matching user (i.e., the user who satisfies the conditions of both time 1003 and position information 1004 ). Further, the server processing unit 815 determines from the user database 807 the IP address of the user corresponding to the identified attribute and position information 905 (step 1206 ).
  • the server processing unit 815 transmits the corresponding security policy and C&C server information to the determined IP address (step 1207 ).
  • the security policy and C&C server information are the security policy and C&C server information that the client machine received in step 1105 .
  • the security policy (operation during policy application) to be applied to the client machines 803 and 811 can be determined by combining the position information with the user affiliation and position and the time of policy delivery. That is, it is possible to apply a more complex, or more flexible, security policy than in the case of the first embodiment.
  • the security policy is determined by taking into consideration the number of network administrators in attendance, and network connection of the client machine or access to the C&C server is controlled to prevent information leakage.
  • the network administrators include all of the staff members of the systems department, and all of the managerial staff members of various departments.
  • FIG. 13 illustrates the overall configuration of an information leakage prevention system 300 according to the present embodiment.
  • portions corresponding to those of FIG. 1 are designated with identical or similar reference signs.
  • the basic configuration of the information leakage prevention system 300 is the same as that of the information leakage prevention system 100 according to the first embodiment.
  • Each of client machines 1303 and 1311 has a computer as a basic configuration and is constituted by a CPU, a RAM, a ROM, a hard disk device, a network interface and the like.
  • the client machines 1303 and 1311 implement the anti-malware software 104 and a client processing unit 1314 of which the functions are provided through the execution of a program by the CPU.
  • the client processing unit 1314 provides, through the execution of a program by the CPU, a user information transmission function, an attendance information processing function, a malware detection information transmission function, and a network control function.
  • the functions are the same as those of the first embodiment with the exception of the attendance information processing function.
  • the attendance information processing function provides the function of transmitting, upon reception of an attendance information transmission request (ping) from the management server 1306 , a response (echo reply) to the management server 1306 if the PC is in operation.
  • the management server 1306 has a computer as a basic configuration and is constituted by a CPU, a RAM, a ROM, a hard disk device, a network interface and the like. To the management server 1306 , a display device may be connected, as needed. In the present embodiment, the management server 1306 implements a user database (database) 1307 , a security policy database (database) 1309 , and a server processing unit 1315 .
  • database user database
  • database security policy database
  • the server processing unit 1315 provides, through the execution of a program by the CPU, a user information management function, an attendance information management function, a security policy management function, and a security policy transmission function.
  • the functions are the same as those of the first embodiment with the exception of the attendance information management function.
  • the attendance information management function provides the function of transmitting, upon reception of malware detection information, a ping to all of the client machines 1303 and 1311 being managed.
  • the attendance information management function provides the function of determining, upon reception of a response to the ping (echo reply), whether the user of the client machines 1303 and 1311 as the source of transmission is network administrator, and, if network administrator, registering attendance information in the user database 1307 .
  • the security policy transmission function upon reception of a response (echo reply) from all of the client machines 1303 and 1311 to which the ping has been transmitted, or in the event of time-out, extracts the C&C server information from the received malware detection information, and counts the number of network administrators in attendance from the data 1308 stored in the user database 1307 .
  • the security policy transmission function on the basis of the current time for policy delivery and the calculated number of network administrators, selects a combination of affiliation and position matching the conditions, and selects from the security policy database 1309 a security policy to be applied with respect to the combination.
  • the security policy transmission function extracts from the user database 1307 an IP address corresponding to the combination of affiliation and position corresponding to the selected security policy, and transmits the selected security policy and C&C server information to the IP address.
  • FIG. 14 illustrates a structure example of the data 1308 stored in the user database 1307 .
  • the user database 1307 includes the data items of user name of each user 1401 , affiliation 1402 , position 1403 , IP address 1404 of client machine, and attendance information 1405 .
  • the information other than the attendance information 1405 is transmitted, upon startup, from the client machines 1303 and 1311 to the management server 1306 and stored in the user database 1307 by the management server 1306 .
  • the management server 1306 If the received user name 1401 is already registered in the user database 1307 , the management server 1306 overwrites the affiliation 1402 , position 1403 , and IP address 1404 linked with the existing user name 1401 with the newly received information. If the received user name 1401 is not registered in the user database 1307 , the management server 1306 stores the received user name 1401 , affiliation 1402 , position 1403 , and IP address 1404 in a new row.
  • the management server 1306 upon reception of an echo reply to the transmission of ping, searches the user database 1307 using the IP address 1404 that is the ping transmission destination, and, if the position 1403 of the user with the matching IP address 1404 is section chief or above, stores “attendance” in the attendance information 1405 .
  • the function is performed by the attendance information management function.
  • the IP address 1404 as the ping transmission destination is stored in the user database 1307 without fail, and the case in which the IP address 1404 as the ping transmission destination is not stored in the user database 1307 is not contemplated.
  • FIG. 15 illustrates a structure example of data 1310 stored in the security policy database 1309 .
  • the security policy database 1308 includes the data items of affiliation 1501 , position 1502 , time of policy delivery 1503 , the number of network administrators in attendance 1504 necessary for policy application, and operation during policy application 1505 .
  • the management server 1306 upon reception of an echo reply from all of the ping transmission destinations or in the event of time-out after receiving malware detection information from any of the client machine 1303 and 1310 , counts the number of network administrators in attendance from the user database 1307 .
  • the management server 1306 on the basis of the number of network administrators counted from the user database 1307 and the current time for policy delivery, refers to the security policy database 1309 and selects the affiliation 1501 , position 1502 , and the security policy to be applied (operation during policy application 1505 ) that match the conditions.
  • the management server 1306 assumes that the operation during policy application 1505 is “prohibit network connection”, and delivers the policy to all of the client machines being managed.
  • the administrator of the management server 1306 can set the operation during policy application 1505 for each combination of the affiliation 1501 , position 1502 , time 1503 , and the number of administrators in attendance 1504 , and may modify or delete data even after the setting.
  • FIG. 16 illustrates a processing procedure performed by the client machine 1303 infected with malware. Malware infection is detected by the anti-malware software 104 running in the client machine 1303 . Upon detection of malware infection, the anti-malware software 104 outputs malware detection information (step 1601 ). Then, the client processing unit 1314 of the client machine 1303 transmits the malware detection information to the management server 1306 (step 1602 ).
  • the client processing unit 1314 receives a ping from the management server 1306 (step 1603 ).
  • the client processing unit 1314 transmits an echo reply to the management server 1306 (step 1604 ).
  • the client processing unit 1314 then receives a security policy and C&C server information from the management server 1306 (step 1605 ). In this case, the client processing unit 1314 determines whether the operation during policy application included in the received security policy is “prohibit network connection” or “prohibit C&C server connection” (step 1606 ).
  • the client processing unit 1314 severs connection with the network 102 and isolates itself from the network (step 1607 ). On the other hand, if the operation during policy application is “prohibit C&C server connection”, the client processing unit 1314 prohibits connection only to the address of the C&C server 101 included in the received C&C server information (step 1608 ). In the client machine 1311 not infected with malware, the operation subsequent to step 1603 is performed.
  • FIG. 17 illustrates a processing procedure performed by the management server 1306 notified of malware infection.
  • the server processing unit 1315 receives malware detection information from the client machine 1303 (step 1701 ).
  • the malware detection information is the malware detection information transmitted in step 1602 .
  • the server processing unit 1315 transmits a ping to the client machines 1303 and 1311 (step 1702 ). That is, the server processing unit 1315 transmits a position information acquisition request not only to the client machine 1303 that has detected malware infection but also to all of the client machines being managed. Thereafter, the server processing unit 1315 receives an echo reply from the client machines 1303 and 1311 (step 1703 ). The echo reply is the echo reply transmitted in step 1604 . The echo reply may not be received from all of the client machines 1303 and 1311 .
  • the server processing unit 1315 then stores the attendance information of the user of the client machine that has transmitted the echo reply in the user database 1307 (step 1704 ). It should be noted that the server processing unit 1315 registers only the attendance information of the network administrator in the user database 1307 , and does not register the attendance information of other users.
  • the server processing unit 1315 on the basis of the user satisfying the combination of the current time for policy delivery and the number of network administrators in attendance, selects a security policy for delivery (step 1705 ).
  • the server processing unit 1315 compares the user information (affiliation and position) of the user corresponding to the security policy selected in step 1705 with the user information (affiliation and position) in the user database 1307 , and determines the IP address of the transmission destination of each security policy (step 1706 ).
  • the server processing unit 1315 transmits the corresponding security policy and C&C server information to the determined IP address (step 1707 ).
  • the security policy and C&C server information are the security policy and C&C server information that the client machine received in step 1605 .
  • the security policy (operation during policy application) applied to the client machines 1303 and 1311 can be determined by combining the number of network administrators in attendance with the user affiliation and position and the time of policy delivery. That is, it becomes possible to apply a more complex, or more flexible, security policy than in the case of the first embodiment.
  • the present disclosure is not limited to the foregoing embodiments and may include various modifications.
  • the foregoing embodiments have been described for facilitating an understanding of the present disclosure, and may not be provided with all of the configurations described.
  • a part of one embodiment may be replaced with the configuration of another embodiment.
  • the configuration of the other embodiment may be incorporated into the configuration of the one embodiment.
  • addition, deletion, or substitution of a part of the configuration of the other embodiments may be made.
  • the configurations, functions, processing units, process means and the like that have been described above may be partly or entirely implemented by hardware based on an integrated circuit design, for example.
  • the configurations, functions and the like may be implemented by a processor interpreting a program for performing each function (i.e., in terms of software).
  • the programs, tables, and information such as files for implementing each function may be stored in a storage device such as a memory, a hard disk, or a solid state drive (SSD), or stored in a storage medium such as an IC card, an SD card, or a DVD.
  • the control lines and information lines illustrated are those considered necessary for illustrative purposes, and do not necessarily represent all of the control lines or information lines required in a product. In practice, almost all of the configurations may be considered to be connected to each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Virology (AREA)
US15/753,249 2015-12-25 2016-11-25 Information leakage prevention system and method Active 2038-01-19 US10924492B2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2015254597A JP6340358B2 (ja) 2015-12-25 2015-12-25 情報漏洩防止システム及び方法
JPJP2015-254597 2015-12-25
JP2015-254597 2015-12-25
PCT/JP2016/085003 WO2017110363A1 (ja) 2015-12-25 2016-11-25 情報漏洩防止システム及び方法

Publications (2)

Publication Number Publication Date
US20180241758A1 US20180241758A1 (en) 2018-08-23
US10924492B2 true US10924492B2 (en) 2021-02-16

Family

ID=59089329

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/753,249 Active 2038-01-19 US10924492B2 (en) 2015-12-25 2016-11-25 Information leakage prevention system and method

Country Status (3)

Country Link
US (1) US10924492B2 (enrdf_load_stackoverflow)
JP (1) JP6340358B2 (enrdf_load_stackoverflow)
WO (1) WO2017110363A1 (enrdf_load_stackoverflow)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11916961B2 (en) * 2017-09-28 2024-02-27 Optim Corporation Computer system, security setting suggestion method, and program
JP7013817B2 (ja) * 2017-11-24 2022-02-01 トヨタ自動車株式会社 医療情報システム、医療装置、データ通信方法、及び、プログラム
JP7009955B2 (ja) * 2017-11-24 2022-01-26 トヨタ自動車株式会社 医療データ通信装置、サーバ、医療データ通信方法および医療データ通信プログラム
JP7198617B2 (ja) * 2018-09-21 2023-01-04 株式会社日立ハイテクソリューションズ セキュリティシステム
CN110381088B (zh) * 2019-08-21 2021-11-12 牡丹江师范学院 一种基于物联网的数据安全保障方法

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116639A1 (en) * 2001-02-21 2002-08-22 International Business Machines Corporation Method and apparatus for providing a business service for the detection, notification, and elimination of computer viruses
US7069316B1 (en) * 2002-02-19 2006-06-27 Mcafee, Inc. Automated Internet Relay Chat malware monitoring and interception
US20090328221A1 (en) * 2008-06-30 2009-12-31 Microsoft Corporation Malware detention for suspected malware
US20120005743A1 (en) 2010-06-30 2012-01-05 Mitsubishi Electric Corporation Internal network management system, internal network management method, and program
US20140310811A1 (en) * 2013-04-11 2014-10-16 F-Secure Corporation Detecting and Marking Client Devices
US20150319187A1 (en) * 2014-04-30 2015-11-05 Institute For Information Industry Method, electronic device, and user interface for on-demand detecting malware
US9197664B1 (en) * 2004-04-01 2015-11-24 Fire Eye, Inc. System and method for malware containment
US9294486B1 (en) * 2014-03-05 2016-03-22 Sandia Corporation Malware detection and analysis
US9705911B2 (en) * 2005-06-30 2017-07-11 Nokia Technologies Oy System and method for using quarantine networks to protect cellular networks from viruses and worms
US9922191B1 (en) * 2017-01-05 2018-03-20 Votiro Cybersec Ltd. Determining malware prevention based on retrospective content scan
US20190228154A1 (en) * 2018-01-25 2019-07-25 Microsoft Technology Licensing, Llc Malware sequence detection

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008165601A (ja) * 2006-12-28 2008-07-17 Secure Ware:Kk 通信監視システム、通信監視装置、及び通信制御装置
JP5023801B2 (ja) * 2007-05-15 2012-09-12 富士ゼロックス株式会社 画像読取装置、画像処理システム及び画像処理プログラム
JP2009070073A (ja) * 2007-09-12 2009-04-02 Sumitomo Electric Ind Ltd 情報処理装置及びエージェントコンピュータプログラム
JP5012525B2 (ja) * 2008-01-17 2012-08-29 富士ゼロックス株式会社 セキュリティポリシーサーバ、セキュリティポリシー管理システム及びセキュリティポリシー管理プログラム
JP2010068427A (ja) * 2008-09-12 2010-03-25 Oki Electric Ind Co Ltd 情報制御システム、情報制御方法、および、移動中継装置
JP5669250B2 (ja) * 2009-11-06 2015-02-12 日本電信電話株式会社 情報アクセス制御システムとそのサーバ装置及び情報アクセス制御方法
US9621563B2 (en) * 2015-03-27 2017-04-11 International Business Machines Corporation Geographical location authentication

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116639A1 (en) * 2001-02-21 2002-08-22 International Business Machines Corporation Method and apparatus for providing a business service for the detection, notification, and elimination of computer viruses
US7069316B1 (en) * 2002-02-19 2006-06-27 Mcafee, Inc. Automated Internet Relay Chat malware monitoring and interception
US9197664B1 (en) * 2004-04-01 2015-11-24 Fire Eye, Inc. System and method for malware containment
US9705911B2 (en) * 2005-06-30 2017-07-11 Nokia Technologies Oy System and method for using quarantine networks to protect cellular networks from viruses and worms
US20090328221A1 (en) * 2008-06-30 2009-12-31 Microsoft Corporation Malware detention for suspected malware
US20120005743A1 (en) 2010-06-30 2012-01-05 Mitsubishi Electric Corporation Internal network management system, internal network management method, and program
JP2012015684A (ja) 2010-06-30 2012-01-19 Mitsubishi Electric Corp 内部ネットワーク管理システム及び内部ネットワーク管理方法及びプログラム
US20140310811A1 (en) * 2013-04-11 2014-10-16 F-Secure Corporation Detecting and Marking Client Devices
US9294486B1 (en) * 2014-03-05 2016-03-22 Sandia Corporation Malware detection and analysis
US20150319187A1 (en) * 2014-04-30 2015-11-05 Institute For Information Industry Method, electronic device, and user interface for on-demand detecting malware
US9922191B1 (en) * 2017-01-05 2018-03-20 Votiro Cybersec Ltd. Determining malware prevention based on retrospective content scan
US20190228154A1 (en) * 2018-01-25 2019-07-25 Microsoft Technology Licensing, Llc Malware sequence detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
International Search Report of PCT/JP2016/085003 dated Feb. 28, 2017.

Also Published As

Publication number Publication date
WO2017110363A1 (ja) 2017-06-29
JP6340358B2 (ja) 2018-06-06
US20180241758A1 (en) 2018-08-23
JP2017117354A (ja) 2017-06-29

Similar Documents

Publication Publication Date Title
US10924492B2 (en) Information leakage prevention system and method
US8739287B1 (en) Determining a security status of potentially malicious files
US8590046B2 (en) Login initiated scanning of computing devices
US9954887B2 (en) Targeted attack discovery
US11165812B2 (en) Containment of security threats within a computing environment
EP3386161B1 (en) Tracking and mitigation of an infected host device
US10033745B2 (en) Method and system for virtual security isolation
EP2744251A1 (en) Network system, mobile communication device and program
US9948649B1 (en) Internet address filtering based on a local database
US20160294849A1 (en) Detecting suspicious files resident on a network
US11689576B2 (en) Cloud native discovery and protection
CN109379347B (zh) 一种安全防护方法及设备
US12019784B2 (en) Privacy preserving evaluation of sensitive user features for anomaly detection
US20200213320A1 (en) Techniques for protecting cloud native environments based on cloud resource access
US20210117536A1 (en) Information processing device and information processing method
WO2015039562A1 (zh) 账号信息处理方法及装置
US11486709B2 (en) Ground distance determination using zone-based location data
US20080172742A1 (en) Information processing system
US9386042B1 (en) Methods, systems, and computer readable mediums for utilizing geographical location information to manage applications in a computer network system
US20210064750A1 (en) Hearing system, threat response system, method, and program
CN109474591B (zh) 多系统间帐户共享方法、装置、电子设备及存储介质
KR101907037B1 (ko) 악성 코드 진단 서버, 시스템 및 방법
KR101733770B1 (ko) 가상랜을 이용하여 사내 단말의 보안을 관리하는 사내 보안 관리 장치, 사내 보안 관리 시스템 및 사내 보안 관리 방법
US11431758B2 (en) Fraud monitoring program, fraud monitoring apparatus, and information processing apparatus
JP2019101448A (ja) セキュリティ管理システム及びセキュリティ管理方法

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: HITACHI SOLUTIONS, LTD., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:INOUE, ATSUO;OSHIDA, YUZO;HARADA, TATEKI;REEL/FRAME:044974/0461

Effective date: 20180115

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4